rpm package
suse/cockpit&distro=SUSE Linux Enterprise Server for SAP applications 16.0
pkg:rpm/suse/cockpit&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-4631 | Cri | 9.8 | < 354-160000.3.1 | 354-160000.3.1 | Apr 7, 2026 | Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects m | |
| CVE-2026-26996 | — | < 354-160000.2.1 | 354-160000.2.1 | Feb 20, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact | ||
| CVE-2026-25547 | Cri | — | < 354-160000.2.1 | 354-160000.2.1 | Feb 4, 2026 | @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated nume | |
| CVE-2025-13465 | Med | 5.3 | < 340-160000.4.1 | 340-160000.4.1 | Jan 21, 2026 | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin |
- affected < 354-160000.3.1fixed 354-160000.3.1
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects m
- CVE-2026-26996Feb 20, 2026affected < 354-160000.2.1fixed 354-160000.2.1
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact
- affected < 354-160000.2.1fixed 354-160000.2.1
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated nume
- affected < 340-160000.4.1fixed 340-160000.4.1
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin